* [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach
@ 2026-02-08 18:53 Soham Kute
2026-02-09 9:34 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Soham Kute @ 2026-02-08 18:53 UTC (permalink / raw)
To: tiwai
Cc: perex, linux-sound, linux-kernel, Soham Kute,
syzbot+16b2b67ae905feb8a289
syzbot reported a slab use-after-free in snd_pcm_post_stop() caused by
snd_pcm_action() being invoked after snd_pcm_detach_substream() has
already freed the PCM runtime.
The previous approach attempted to guard against NULL runtime access in
the post-action callback, which only masked the symptom. As pointed out
in review, this does not address the underlying lifetime issue.
Fix the root cause by preventing snd_pcm_action() from running once the
substream runtime has been detached, ensuring that no PCM actions are
executed after teardown.
Reported-by: syzbot+16b2b67ae905feb8a289@syzkaller.appspotmail.com
Signed-off-by: Soham Kute <officialsohamkute@gmail.com>
---
sound/core/pcm_native.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 932a9bf98..a29dbbc21 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1391,6 +1391,9 @@ static int snd_pcm_action(const struct action_ops *ops,
struct snd_pcm_group *group;
int res;
+ if (WARN_ON_ONCE(!substream->runtime))
+ return 0;
+
group = snd_pcm_stream_group_ref(substream);
if (group)
res = snd_pcm_action_group(ops, substream, state, true);
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach
2026-02-08 18:53 [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach Soham Kute
@ 2026-02-09 9:34 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2026-02-09 9:34 UTC (permalink / raw)
To: Soham Kute
Cc: tiwai, perex, linux-sound, linux-kernel,
syzbot+16b2b67ae905feb8a289
On Sun, 08 Feb 2026 19:53:40 +0100,
Soham Kute wrote:
>
> syzbot reported a slab use-after-free in snd_pcm_post_stop() caused by
> snd_pcm_action() being invoked after snd_pcm_detach_substream() has
> already freed the PCM runtime.
>
> The previous approach attempted to guard against NULL runtime access in
> the post-action callback, which only masked the symptom. As pointed out
> in review, this does not address the underlying lifetime issue.
>
> Fix the root cause by preventing snd_pcm_action() from running once the
> substream runtime has been detached, ensuring that no PCM actions are
> executed after teardown.
>
> Reported-by: syzbot+16b2b67ae905feb8a289@syzkaller.appspotmail.com
>
> Signed-off-by: Soham Kute <officialsohamkute@gmail.com>
Thanks for the revised patch. This patch puts the check at a better
place than the previous patch, but it's still misleading; this doesn't
address the root cause at all. It's just plugging a hole at a middle
point of the code path.
I guess you're trying to fix the UAF report for aloop driver, and this
was already addressed by the recent patch (included in 6.19).
Please check whether you still see the problem with 6.19 release.
thanks,
Takashi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-09 9:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-08 18:53 [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach Soham Kute
2026-02-09 9:34 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox